3com Vlans & WAP for multiple (20) offices and shared Internet

Posted on 2007-08-11
Medium Priority
Last Modified: 2013-11-16
I need so help configuring a 3com 4500 switch and a watchguard X550e firewall to do the following:

The customer has an office building with 20 seperate business that need Internet access and VOIP capability. We are installing a mitel VOIP phone system for all offices as well.

We need to create a seperate Vlan for data (& connection to the Internet through the Watchguard Firewall) for each office. We would like to use the 3com's Auto oice VPN for the IP Phones. We will also be providing some hosted servers that the Data Vlans will need access to (A seperate "Server farm" Vlan).

The customer would also like to provide wireless access for each office as well as a Public (Open) WIFIi connection for the conference room. We will use 3 com 8760 WAPs for this, but I'm not sure how to get the appropriate wireless clients into their respective vlans. Is this even possiple?
Ideally all Vlan clients would get their IP address form the DHCP server in the watchguard, but Don't think the Watchguard can handle that.

Question by:mbriese
  • 3
  • 2
LVL 32

Expert Comment

ID: 19678146
WG support VLANs with the following limitations:
" You must have Fireware Pro installed on your Firebox [purchased seperately].
" VLANs are supported from trusted and optional interfaces only. The external interface does not
allow VLAN configuration.
" WatchGuards VLAN implementation does not support the spanning tree link management
" If your Firebox is configured with a drop-in configuration, you cannot use VLANs.
" One Firebox physical interface can be an untagged VLAN member of only one VLAN. For
example, if eth0 is an untagged member of a VLAN named VLAN-1, it cannot be an untagged
member of a different VLAN at the same time.
" A Firebox interface can send untagged data to only one VLAN.
" A Firebox interface can receive untagged data frames for only one VLAN.
" Your Firebox model and license controls the number of VLANs you can add to the Firebox. To see
the number of VLANs you can add to your Firebox, use Policy Manager to select Setup >
Licensed Features. Click the Active Features button and find the row labeled VLAN.

All network segments you want to add to a VLAN must have IP addresses on the VLAN network.

You need to use WG software version 9.0 for VLANs.

You can configure the Firebox as a DHCP server for the computers on your VLAN network.
1. Select the Use DHCP Server radio button to configure the Firebox as the DHCP server for your
VLAN network.
2. To add an IP address range, click Add and type the first and last IP addresses assigned for
distribution. Click OK. You can configure a maximum of six address ranges.
3. To reserve a specific IP address for a client, click Add next to the Reserved Addresses box. Enter a
name for the reservation, the IP address you want to reserve, and the MAC address of the clients
network card. Click OK.
4. Use the arrow buttons next to Leasing Time to change the default lease time.

Hope this helps. Please let me know if you need more details.

Thank you.

Author Comment

ID: 19680326
That is some great information. With a need for 20 vlans all with DHCP assigned address and with the need for Internet access, it sounds like to firebox wiil not support this. What would you do to provide "private" networks to 20+ offices and share 1 Internt connection?
LVL 32

Expert Comment

ID: 19681554
Well you have option to create secondary networks on one single interface in WG. So, theoretically you can create 20 secondary networks and then define VLAN for each one of them; normally when you create secondary networks as they are defined on one single port of the firewall device the traffic can flow between them. But in your case you would be defining VLANs and DHCP for each secondary network that you create so this should work.

I am also not sure that with Fireware Pro when creating secondary networks if you get an option to define VLANs, I think you should get the option. If you do get an option for VLANs, I think then the setup you want should work.

I have not tested this solution myself so didn't put it in the post earlier but I think it can be tried.

Author Comment

ID: 19684055
This is what I was thinking, however it appears that the firebox onl supports up to 6 DHCP scopes. I am also wondering how it would determine what Scope to pull the ip address for each vlan. Additionally I may be wron, but I think the firebox will provide routing between the secondary networks. If so is there a way to prevent this?

LVL 32

Accepted Solution

dpk_wal earned 1000 total points
ID: 19684254
The secondary networks are on the same physical interface and the traffic is allowed by default. I am not sure but I think we can define "Any" service to block traffic between the subnets [Again never worked on a scenario like this and don't have setup to test :(]. Something like:
Policy->Denied; from,; to,

If DHCP scope is a limitation then I do not think FB would suit your scenario. I think as we would associate each DHCP server according to VLAN and we specify IP as well while defining VLANs; this should help setting DHCP for one VLAN only but as I have not tried the scenario I am not sure.

Frankly I am not sure how VLANs respond as far as WG is concerned.

One solution is, If you put a router behind WG then WG would not do any VLAN and route management. You can configure the router as not to allow any traffic between the subnets and to respond to VLANs. On WG you can keep one subnet and one interface of router would be on the same subnet. For the other subnets you can define routes on the WG.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question